Open Source AI SOC

The Open Source
AI SOC community.

Vigil SOC brings together security engineers, researchers, and builders to develop and operate next-generation security systems in the open, through collaborative events, shared infrastructure, and real-world exercises.

Join the Community View on GitHub
13
Specialized Agents
30+
MCP Integrations
7,200+
Detection Rules
$0
License Cost (Apache 2.0)
< 3 min
Time to Running SOC
Auto-Ops

Machine-speed attacks need machine-speed defense.

Vigil ships with an Auto-Response agent that correlates signals across your stack, scores its own confidence, and contains the threat. Above your configured threshold (0.90 by default) it auto-approves; below, it routes to a human reviewer. Surgical actions (WAF block, Gateway block, session revoke) execute through a full audit trail. You set the boundary. Vigil keeps pace.

Configurableconfidence threshold
24/7continuous correlation
Fullaudit trail every action
Capabilities

Five Pillars. One Operational Stack.

Vigil works the SOC lifecycle end-to-end, from raw signal to audit-ready report, with agents that share the same context, the same workflows, and the same open architecture.

Pillar 01

Threat Detection

7,200+ rules across Sigma, Splunk, Elastic, and KQL. The Triage agent scores every alert; coverage keeps compounding as the community ships new rules.

Pillar 02

Vulnerability Analysis

The Investigator, Correlator, Threat Intel, Forensics, Network Analyst, and Malware Analyst agents trace root cause across your full stack. Every step inspectable, every decision traceable.

Pillar 03

Agent Red Teaming

Proactive, hypothesis-driven hunts mapped to MITRE ATT&CK. Workflows like Threat Hunt chain agents to probe assumptions, surface gaps, and pressure-test your defenses before adversaries do.

Pillar 04

Secure Practices

Apache 2.0, local-first, inspectable reasoning. Workflows are text files you can read, modify, and share. Every run leaves an audit trail, and the community's operational knowledge compounds.

Pillar 05

AI SOC

13 specialized agents coordinated through Bifrost, the open LLM gateway, plus 30+ MCP integrations. The Responder routes by confidence threshold so humans stay in the loop where it counts.

⚠️ A Word About the "AI SOC" Market

The year is 2025. A venture-backed startup wraps a Claude API call in some middleware, slaps "Agentic AI SOC" on the homepage, and charges you $40,000–$200,000 a year to start. The agent reasoning? A black box. The integrations? Proprietary. Your data? Uploaded to their cloud. When you ask why an agent made a call? "Trust us." We're looking at you AI SOC venders. You know who you are and what you did. The silver bullet cycle isn't working. It's time to build the capability, not buy the box. That's Vigil.

Open Source AI SOC

What Is Vigil?

Vigil is an open-source AI security operations platform. It puts a coordinated team of 13 specialized AI agents to work as your SOC, each with deep access to your security stack, each purpose-built for a specific part of the investigation lifecycle.

Built on Bifrost (an open LLM gateway) and the Model Context Protocol (MCP), Vigil is designed around a simple principle: AI agents should do the work, not just answer questions.

Say "Run incident response on finding XYZ" and agents execute in sequence: triage scores the alert, the investigator traces root cause, the responder submits containment actions, and the reporter generates audit-ready documentation. No hand-offs required.

Apache 2.0 licensed. Every agent's reasoning is inspectable. Every workflow is a text file you can read, modify, and share.

View on GitHub Quick Start →
Vigil web dashboard: AI SOC interface
The Problem

Why Open Source?

The cybersecurity market has a well-documented structural problem. Closed-source AI SOC platforms deepen it.

🔍

Transparency

When agent reasoning is inspectable, detection quality becomes measurable. You know why an agent made a call, not just that it did.

🔗

Open Integrations

Built on MCP, an open standard. When integrations are built on open standards, the ecosystem grows the platform. Every new MCP server is a free Vigil integration.

🤝

Collective Knowledge

When workflows are text files, the community's collective operational knowledge compounds. Share a playbook and everyone's SOC gets smarter.

"Security operations shouldn't be a black box you buy. It should be a capability you build, together."

Architecture

How Vigil Works

Three interlocking layers that give every agent real-time access to your entire stack.

⚙️ Workflows · Complete Playbooks in a Single Command

A workflow is a multi-agent playbook that chains specialized agents into a complete, end-to-end run. Each workflow maps to a real operational sequence and produces real outputs. Creating your own workflow is writing a WORKFLOW.md file. If your team has a process, Vigil can run it.

🚨Incident Response
Triage Investigate Respond Report

End-to-end from alert to audit-ready documentation.

🔬Full Investigation
Deep Dive Correlate Timeline

Deep-dive reconstruction with correlation across all connected data sources.

🎯Threat Hunt
Hypothesis Hunt ATT&CK Map

Proactive hypothesis-driven search using MITRE ATT&CK as the framework.

⚖️Forensic Analysis
Collect Chain-of-Custody Report

Evidence collection and analysis.

☁️Cloud Incident
Identify Blast Radius Contain Report

AWS/Azure/GCP incident response. IAM blast-radius, control-plane vs. data-plane analysis, provider-aware containment.

🔌 MCP · Your Entire Stack, Connected

Vigil uses the Model Context Protocol to give every agent real-time access to your existing tools. 30+ integrations out of the box. If a tool has an MCP server, Vigil can connect to it.

Splunk
CrowdStrike
VirusTotal
Shodan
Hybrid Analysis
Jira
Slack
DeepTempo
+ 22 more
Write your own → Any MCP server plugs right in

🏗️ Architecture

Workflow Layer
WORKFLOW.md Files · Multi-Agent Playbooks
Composable playbooks. Define agent sequence, phase-level tool access, and natural-language instructions. Workflows can invoke other workflows as sub-runs.
Agent Layer
Bifrost · 13 Specialized Agents
Defined roles, tool access, and reasoning modes. Bifrost is an open LLM gateway that handles routing, coordination, and tool invocation. A deep backend tool surface plus 100+ extended tools via MCP.
Integration Layer
MCP · 30+ Tool Integrations
Any MCP-speaking tool or data source plugs in without custom code. Handles authentication, rate limiting, and response normalization. Open standard, ecosystem grows the platform.
The Team

13 Agents. Each Built for a Job.

Specialists with defined roles, tuned reasoning modes, and access to a deep backend tool surface plus 100+ extended tools via MCP. You set the automation thresholds. Vigil keeps humans in the loop where it counts, and gets out of the way everywhere else.

T Triage Agent ⚡ Fast mode
I Investigator 🧠 Deep mode
H Threat Hunter
C Correlator
R Responder 🔒 Threshold routing
📄 Reporter
M MITRE Analyst
⚖️ Forensics
🔎 Threat Intel
📋 Compliance
🦠 Malware Analyst
🌐 Network Analyst
A Auto Responder

🔒 The Confidence Threshold: The Responder auto-approves containment actions at 0.90+ confidence. Below that, it routes to a human reviewer. You control the automation boundary. No surprises. No runaway automation.

🛡️

7,200+ Detection Rules

Spanning Sigma, Splunk, Elastic, and KQL formats. AI-assisted coverage analysis, gap identification, and template generation. Every new community rule improves every deployment.

💬

Chat-Driven Case Management

Build and update cases through natural language. Tell the system a finding is part of the lateral movement kill chain, and it handles the MITRE tagging, timeline updates, and case linkage automatically.

🔁

Auto-Ops · 24/7 Coverage

The Auto-Response agent runs continuously, ingesting findings, correlating across signals, and acting within your configured confidence threshold. The web UI remains your control plane for thresholds, escalations, and approvals. Start it with ./start_daemon.sh alongside the React + FastAPI frontend.

🏠

Local-First Architecture

Your data never leaves your environment. No cloud dependency for core functionality. MCP connections are under your control. State persists in PostgreSQL with pgvector, running locally via Docker by default.

60-Second Demo

See It Work in Under a Minute

After starting Vigil, open the web UI and try the full incident response workflow live, using sample data included in the repo.

1

Paste a finding

Use a real alert ID from your SIEM, or one of the included sample findings from the repo.

2

Run the workflow

Type: Run incident response on finding f-20260215-a1b2c3d4

3

Watch agents execute

Triage → Investigate → Respond → Report. Every step visible, every decision inspectable.

4

Review the output

Complete incident report with MITRE ATT&CK mapping, timeline, and recommended actions. Audit-ready.

The Honest Comparison

Vigil vs. Commercial AI SOCs

Every serious AI SOC platform on the market is closed source. Here's the full picture.
(Including Dropzone AI, Conifers CognitiveSOC, Radiant Security, Prophet Security, Exaforce, Torq HyperSOC. None are open source. None use MCP.)

⚔️ Vigil (Open Source) Commercial AI SOCs
License Apache 2.0, free forever Proprietary, $36K–$200K+/yr
Source Code Fully inspectable on GitHub Closed / opaque
Agent Logic Transparent, modifiable Python Black box or patented
Integrations MCP (open standard), 30+ Proprietary APIs, 50–100+
Extensibility Write a WORKFLOW.md file Vendor roadmap or pro services
Data Residency 100% local, your machine Cloud APIs, data leaves your env
Time to Try git clone, < 3 minutes Sales call, 30-day POC, procurement
Community Open contributions welcome Feature requests into a backlog
Detection Rules 7,200+ included, community-maintained Proprietary or third-party subscription
LLM Backend Claude (default), extensible architecture Vendor-locked to one provider
Quick Start

Up and Running in 3 Minutes

Three commands. No sales call. No procurement. No 30-day POC.

Requirements

Python 3.10+
Node.js 18+
Docker
Claude API key (optional for initial testing)

Installation

$ git clone --recurse-submodules \
https://github.com/Vigil-SOC/vigil.git
$ cd vigil
$ ./start_web.sh
 
# First run: 2–3 minutes
# Subsequent starts: <30 seconds
Frontend: http://localhost:6988
API Docs: http://localhost:6987/docs

DeepTempo + Vigil

Vigil is sponsored by DeepTempo. DeepTempo's LogLM is a purpose-built behavioral detection model that pairs naturally with Vigil, though the two are loosely coupled. LogLM can enhance any AI SOC or SIEM with high-fidelity detections, and Vigil works across any mix of security systems.

Clone Vigil on GitHub